Skip to content

feat(claude-code): agent-integrity plugin (Agent Manifest + TRACE)#35

Merged
imran-siddique merged 1 commit into
mainfrom
feat/claude-code-agent-integrity
Jul 15, 2026
Merged

feat(claude-code): agent-integrity plugin (Agent Manifest + TRACE)#35
imran-siddique merged 1 commit into
mainfrom
feat/claude-code-agent-integrity

Conversation

@imran-siddique

Copy link
Copy Markdown
Contributor

What

A Claude Code integration that turns agentrust's own governance specs on the coding agent we use daily. Per session it captures:

  • Agent Manifest — what the agent is: skills, tools, MCP servers, model, permission policy, instruction layer, each fingerprinted and Ed25519-signed.
  • TRACE Trust Record — what the agent did this run, signed and conformance-checkable (Level 0, software-only).

and answers: is the agent I'm running the one I approved — nothing added, nothing subtracted?

How it works

  • SessionStart hook is stdlib-only (no crypto deps, never blocks startup): snapshot from disk, diff against ~/.claude/agentrust/baseline.json, warn in-session on drift.
  • /manifest verify|approve and /trace slash commands. Signing runs only on demand.
  • observed-category diff: the disk-only hook compares skills/permissions/instruction-layer and never false-flags the live tool roster of a richer baseline (regression-tested).

Verification

  • pytest tests/ — 6 passing (stdlib-only, no network/crypto).
  • Emitted TRACE record passes trace-tests verify --level 0 (PASS 8/8).
  • Manifest schema-validates and its Ed25519 signature re-verifies.
  • integration.yaml validates against schema/integration.schema.json.
  • Exercised on a real box: clean baseline, tamper (rogue skill / rogue MCP) correctly flagged.

Honest scope (see README "Known gaps")

Software-only Level 0 (no TEE on a dev box); the system_prompt fingerprint is a proxy over CLAUDE.md/memory; policy_language enum has no host-native value (modelled as composite, spec feedback to follow); agent-manifest 0.3.x targeted but PyPI is at 0.2.0.

Tier left as community (set by maintainers, not self-declared).

🤖 Generated with Claude Code

Adds a Claude Code integration that, per session, captures what the agent
IS (skills, tools, MCP servers, model, permissions, instruction layer) as a
signed Agent Manifest and what it DID as a signed TRACE record, and checks
nothing was added or subtracted since an approved baseline.

- SessionStart hook: stdlib-only snapshot + drift warning (no crypto deps)
- /manifest verify|approve and /trace commands
- observed-category diff so the disk-only hook never false-flags the live
  tool roster of a richer baseline
- software-only / Level 0; honest Known-gaps section

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@imran-siddique imran-siddique merged commit 9d93102 into main Jul 15, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant